1 |
I don't understand the letsencrypt certbot renewal process, specifically |
2 |
the hooks. |
3 |
|
4 |
I have two certificates: one for webserver, one for mailserver. I got |
5 |
them only very recently so I until now the renewal cronjob has always |
6 |
been a no-op, but the real thing will happen very soon. When it does, |
7 |
presumably I need to have both daemons restarted so that they read the |
8 |
renewed certificates. So, how do I do this? Right now my cronjob is |
9 |
just |
10 |
|
11 |
certbot renew -n --standalone --preferred-challenges tls-sni |
12 |
|
13 |
which should renew any and all certificates when they're "close" to |
14 |
expiring. But the documentation doesn't say if I can have multiple |
15 |
--pre-hook and --post-hook options and what the semantics would be. The |
16 |
closest it comes is: |
17 |
|
18 |
When renewing several certificates that have identical pre-hooks, only |
19 |
the first will be executed. |
20 |
|
21 |
which doesn't make any sense: what does it mean for a certificate to |
22 |
"have" a pre-hook? The pre-hook is just there on the command line, |
23 |
there is no association with a particular certificate that a machine |
24 |
could infer. |
25 |
|
26 |
The cop-out solution is to have a single pre-hook and a single |
27 |
post-hook, which stop (resp. start) both daemons, but that is ugly. How |
28 |
do people handle this? |
29 |
|
30 |
-- |
31 |
Please don't Cc: me privately on mailing lists and Usenet, |
32 |
if you also post the followup to the list or newsgroup. |
33 |
Do obvious transformation on domain to reply privately _only_ on Usenet. |